So I have a Scientific Linux 6.3 (RHEL clone so basically the question is Redhat related) machine called "B" (with an extra "A" HDD besides the system HDD) and a notebook with SL 6.3. They are in a /24 IPv4 subnet, and can fully reach each other.

Q: How can I export the "A" HDD device to the notebook, so that on the notebook I could see the "A" HDD as a device /HDD/? (, and locally encrypt it using LUKS - I know this last encrypting part)

The important thing is that I need the connection to be secured (SSL?) so that no one can intercept the data that I encrypt on the notebook. OR: is it already encrypted via LUKS? (and an SSL connection between the notebook and the "B" machine would be just an overhead?) - extra: I also need that the "exporting of the device" must be routable over network.

ps.: so the main question is: does encrypted communication needed between the notebook and the "B" machine or are ALL the datas on the HDD already encrypted when leaving the notebook (even LUKS pwd too??)

2 Answers
2

On the server end, you tell iet to take a file or block device and expose it as an iSCSI target.

On the client end, you run an iSCSI initiator. You'll then be able to mount the target as a block device, i.e. /dev/iscsi_target_1

You can then take this /dev/iscsi_target_1 and encrypt it using cryptsetup or truecrypt on your end. Only encrypted data goes back and forth over the iSCSI session, similar to how only encrypted data would go over a SATA or other storage link in the same situation with a locally attached device.

Something a bit simpler that may work for you too: you could just create a large file on the server end and share it using NFS or samba, and use truecrypt to encrypt it on the client end - the encryption/decryption occurs on the system truecrypt is running on and no unencrypted data would be transferred. I believe you could also mount that large file as a loopback device and use cryptsetup to make a LUKS volume.

As the export data is encrypted, you don't need to encrypt the traffic. You probably don't need to authentify it either (if there's a man in the middle, your passphrase will take care of authentication as if you're not presented with the a device where the key can be decrypted with your passphrase, it will just fail).

A simple solution and that works over internet to export a block device is using nbd (network block device). Run a nbd-server on the exported and nbd-client where you want to use it. nbd devices can also be partitionned (modprobe nbd max_part=16).

nbd is over one TCP connection, so you can also encapsulate it in ssh or openssl (using socat), or SOCKS or a HTTP proxy...